How to deploy Zimbra ZCS Open Source Edition on Amazon EC2

This guide should help you deploy Zimbra ZCS 7.1.3_GA on an Ubuntu 10.04 instance with Amazon EC2.

Prerequisites

1) Ensure you have set up Amazon EC2 CLI scripts …

Download tools from here http://aws.amazon.com/developertools/351

Generate certificates in the security credentials section of AWS control panel

Set up environment variables in your .bash_profile (using your key paths, and your preferred EC2 region)

export EC2_PRIVATE_KEY=/path/to/ec2-private-key.pem
export EC2_CERT=/path/to/ec2-cert.pem
export EC2_URL=https://eu-west-1.ec2.amazonaws.com

2) Ensure you have imported your public ssh key (replace paul-public-key with whatever label you want to use)

for r in us-east-1 us-west-1 ap-southeast-1 eu-west-1; do ec2-import-keypair --region $r paul-public-key --public-key-file ~/.ssh/id_rsa.pub ; done

3) Setup an elastic IP, and then create DNS entries for your mail server, that point to that IP. Let’s assume you are going to call your mail server mail1.example.com, you will need records in example.com’s zone for:

mail1 CNAME ec2-xxx-xxx-xxx-xxx.eu-west-1.compute.amazonaws.com.
mail1 MX 10 mail1

Where xxx-xxx-xxx-xxx is your elastic IP. For other domains, you can then point their MX records to mail1.example.com.

4) Setup a security group for your Zimbra server with the desired ports open (25,80,443, 110, 143, 389, 443, 993, 995, 7071, 7110, 7995, 7143, 7993 etc… ).

ec2-create-group "Zimbra ZCS" -d "Zimbra Collaboration Suite Group"
ec2-authorize "Zimbra ZCS" -P icmp -t -1:-1
ec2-authorize "Zimbra ZCS" -P tcp -p 22
ec2-authorize "Zimbra ZCS" -P tcp -p 25
ec2-authorize "Zimbra ZCS" -P tcp -p 80
ec2-authorize "Zimbra ZCS" -P tcp -p 7071

Instructions

1) Launch a new instance. Replace paul-public-key with the name of your public key (this will need to have been imported into AWS previously). The -g switch refers to your security group. We are using 100GB as the main disk size, as by default they are too small for a Zimbra installation.

// This will launch a new launch instance of Ubuntu 10.04 LTS
ec2-run-instances -t m1.large -g "Zimbra ZCS" -k paul-public-key -b "/dev/sda1=:100:false" ami-cc0e3cb8 --region eu-west-1

2) SSH in and resize the filesystem to the full disk size. Run ec2-describe instances to find your new instance’s IP address, then ssh in to it and resize the file system.

ssh ubuntu@your-instance-public-ip
sudo su -
resize2fs /dev/sda1

3) Assign the elastic IP you chose earlier

// Check your instances ID
ec2-describe-instances
// Associate the address to the instance
ec2-associate-address ELASTIC_IP_ADDRESS -i INSTANCE_ID

4) Set up hostname on the system

echo 'mail1.example.com' > /etc/hostname
echo '127.0.0.1 mail1.example.com mail1' >> /etc/hosts
hostname mail1.example.com

Then check it works with..

hostname --fqdn

IMPORTANT: The commands above specify 127.0.0.1 as the IP for the system’s hostname in /etc/hosts. You need all 3 fields listed in /etc/hosts (eg. 127.0.0.1 mail1.example.com mail1) – otherwise LDAP install fails as it tries to connect to resolved elastic IP. In addition, use a CNAME for the public DNS MX records hostname instead of A record, then when it is resolved internally, it should get a local IP, which should assist postfix with LMTP lookups. If you don’t do this you will get issues – http://wiki.zimbra.com/wiki/Incoming_Mail_Problems – A crude fix is to open port 7025 in the security group, but the CNAME is better.
4) Download Zimbra

cd /root/ 
mkdir zimbra
cd zimbra
// Download the appropriate version for your Linux distribution (and architecture, e.g. 64 bit)
wget http://files.zimbra.com/downloads/7.1.3_GA/zcs-7.1.3_GA_3346.UBUNTU10_64.20110928134610.tgz
tar -xvzf zcs-7.1.3_GA_3346.UBUNTU10_64.20110928134610.tgz

5) Install dependencies

apt-get install libperl5.10 sysstat sqlite3

6) Install Zimbra (this takes about 10-15 minutes)

./install.sh

Keep all default settings and proceed with install

When it complains “DNS ERROR – none of the MX records for mail1.example.com resolve to this host” say No to change domain name.

Set password… at menu (make a note of it).

Apply changes.

You can login to the web interface with:

u: admin@mail1.example.com
p: whatever you set in the install script

http://mail1.example.com/
https://mail1.example.com:7071/zimbraAdmin/

Try sending a test e-mail to admin@mail1.example.com – you should be able to log in to the web interface and view it.

References:

http://alestic.com/index.html – Ubuntu Image List

http://www.zimbra.com/downloads/os-downloads.html – Zimbra Downloads

http://elijahpaul.co.uk/2011/09/installing-zimbra-7-0-zcs-on-ubuntu-10-04-lts-using-amazon-aws/

 

Sharing S3 Buckets and all sub folders

I recently needed to share an S3 bucket and all the sub-folders (objects) within it, but it wasn’t immediately obvious how to do it. After some experimentation I discovered the following solution.

If you want to give someone full read access to all objects within a bucket. You must:

  1. Set up the ACL on the bucket itself to give them list and view permissions.
  2. Set up a bucket policy on the bucket itself to apply to the all objects within that bucket:
{
	"Version": "2008-10-17",
	"Id": "PolicyToAllowFredReadAccess",
	"Statement": [
		{
			"Sid": "Give Fred Read Access to all objects in this bucket",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::12346789012:root"
			},
			"Action": "s3:GetObject*",
			"Resource": "arn:aws:s3:::example-bucket/*"
		}
	]
}

The two relevant parts in here are 1) 12346789012 (the users AWS account id, written on the account page with hyphens 1234-5678-9012) and 2) example-bucket/ – the bucket name.

You can also grant by canonical user id:

{
	"Version":"2008-10-17",
	"Id":"PolicyToAllowFredReadAccess",
	"Statement":[{
			"Sid":"Give Fred Read Access to all objects in this bucket",
			"Effect":"Allow",
			"Principal":{
				"CanonicalUser":"79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be"
			},
			"Action":["s3:GetObject"],
			"Resource":"arn:aws:s3:::example-bucket/*"
		}
	]
}

Import your own RSA SSH key into Amazon EC2

I read a few weeks ago that Amazon now allow you to import your own RSA keys into EC2, but at the time I couldn’t find anywhere that explained how to do it. However, I have now found out how thanks to an egyptian blogger.

It doesn’t look like it’s currently possible through the AWS management console, but you can do it through the command line tools. You have to upload your key to each availability zone separately, but thankfully this can be easily achieved with a one liner…

for r in us-east-1 us-west-1 ap-southeast-1 eu-west-1; do ec2-import-keypair --region $r paul-public-key --public-key-file ~/.ssh/id_rsa.pub ; done

Replace ~/.ssh/id_rsa.pub with the path to your public key, and paul-public-key with the name you would to appear in Amazon for your keys.

NB: You need the ec2 tools set up before you can run this. You will also need to have setup an x509 certificate pair. There’s some useful instructions for this here.

You can read more about the ec2-import-keypair command in the EC2 documentation.